The EU General Data Protection Regulation, or GDPR, is one of those tech law concepts that was a huge buzzword around 2018. Now, GDPR continues to infiltrate most businesses and law firms. I've previously had to complete GDPR training sessions for volunteering, work experience and internships! GDPR is also often in the news, and can come up during any interview, so this Learn is going to cover the basics, and make you a GDPR expert.
To break down what GDPR really entails, we are going to look at this topic letter by letter.
To remember one of the main goals of GDPR, we might think of general as here meaning uniformity, of 'harmonisation'.
One of the most important concepts underpinning GDPR is that it applies across Europe. The reason for this is because data can often be transferred between member states. A large firm might have offices in Paris and London, and clients in Germany, Ireland, and Italy. As such, if there was different data protection requirements between each state, the ease and efficiency of data protection would be impeded. Instead, Europe adopted a general regulation, applicable to all EU (and EEA) member states. This is useful for encouraging business, as customers feel that their data is protected, and multi-national businesses can adopt one uniform approach to data storage, retention, and destruction.
You might compare the EU approach to America, where each state has different rules for data protection. However, some states have advocated for more stringent data protection. A leading state in this area is California, whose California Consumer Privacy Act has been seen as providing US customers similar protections to those under the GDPR.
So, having grasped the general purpose of GDPR, it is important to establish what data is actually protected.
This is a pretty broad category, and covers any data which may be used to identify you, such as initials, or even an exam candidate number.
Basic examples of personal data include:
On top of this, there is a special category called Sensitive Personal Data, which includes more sensitive/vulnerable data, such as:
Finally, it is crucial to note that you can request any of the data held about you to be shared with you, through a free process known as a Data Subject Access Request. Data cannot be requested for someone else or for a deceased person. Also, GDPR protections only apply to people, not legal entities like companies.
So, having explained what data actually is, how does GDPR protect us, the data subjects?
Well, there are two key protections:
1- Our Rights
Under GDPR, data subjects have many rights, like
-withdrawing consent to having data stored or processed
-submit a data access request, as discussed above
-seek destruction of our data, or correcting a mistake on our record, if there are sufficient grounds.
2- The data controller's obligations
The entity collecting, storing, and using our data also has responsibilities. They must
-explain how they use and store our data, generally through a data privacy statement
-have a legal basis for processing our data, which is often our consent, but may also include exceptions such as they have a contract, or a legal requirement to do so
-destroy the data that they hold after the required time period, which is dependent on factors such as their legal basis for processing it in the first place, but is often after a few years.
Why Companies follow GDPR? Despite caring for their customers (hopefully) and supporting data rights, the main reason for compliance is FINES. So may fines.
GDPR is effective because for data breaches, those can get hefty; up to €10 million, or 2% of the firm's worldwide annual revenue from the preceding financial year, whichever amount is higher. The latter, a 2% annual revenue fine, is particularly useful when dealing with tech companies (who often deal with a lot of data). That is because a €10 million fine to Facebook or Apple or Amazon is really not a very big amount, but 2% might be, and, as we noted above, GDPR chooses to apply whichever gets them more in trouble. For example, in 2019, British Airways faced a £183 million fine for their data breach.
However, regulation also applies on a smaller scale under GDPR. If you request to see what data a company holds on you, under a data subject access request, they must respond within one month.
So, GDPR is one mighty reform. It harmonises data regulation in Europe, through clear definitions of data, obligations and rights, and strict penalties for companies found in breach.
Think you understand the concept? The next step is then to test your knowledge of GDPR. Conveniently for you, we've developed the Learn: GDPR quiz below. Research shows that thinking about new concepts in practice allows for 'deep' learning which makes you retain information much longer and more accurately. Have fun and thank you for reading!